CEF Mapping

The CEF standard from ArcSight defines a set of required fields, and a set of optional fields. The latter are called extensions in the CEF standard. Data is mapped to these fields from Guardium configuration information and reports, as described below. Note that not all Guardium fields map to a CEF field, so there may not be a one-to-one relationship between the rows of a printed report and the CEF file produced for that report. Also note that this facility is intended to map data from data access domains (Data Access, Exceptions, and Policy Violations, for example), and not from Guardium self-monitoring domains (Aggregation/Archive, Audit Process, Guardium Logins, etc. ).

The CEF fields in the following table are always present.

Required CEF Fields Mapping

CEF Field

Guardium Mapping

Version

0 (zero); Currently the only version for the CEF format

Device Vendor

Guardium

Device Product

Guardium

Device Version

Guardium software version number

Signature ID

ReportID

Name

Report Title

Severity

Numeric severity code in the range 0-10, with 10 being the most important event.  If not reset in the report, 0 (zero, which translates to "Info" for Guardium).

The CEF extension fields are optional, and will be present only when the mapping applies. For example, if the report does not contain an access rule description, the act field (the first extension field described below) will not be present. For more detailed information about the Guardium entities and attributes, see the appropriate entity reference topic.

CEF Extension Fields Mapping

CEF Field

Guardium Entity - Attribute and Notes

act

Policy Rule Violation - Access Rule Description

app

Client/Server - DB Protocol (TDS, TNS, etc.)

dst

Client/Server - Client IP for exceptions; otherwise Client/Server - Server IP

dhost

Client/Server - Server Host Name

dpt

Session - Client Port for exceptions; otherwise Session - Server Port

dproc

Client/Server - Source Program

duid

Client/Server - OS User

duser

Client/Server - DB User Name

end

The first time-stamp that applies:

  • The exception time in an exception report (Exception - Exception Timestamp)

  • The policy violation time in a policy violation report (Policy Rule Violation - Timestamp)

  • The access period end time (Access Period - Period End)

  • The session end time (Session - Session End)

fname

The service name (Client/Server - Service Name) or the database name (Session - Database Name), or if both are available, the concatenation of both values, separated by a hyphen (-)

msg

The first item available:

  • The exception description (Exception - Exception Description)

  • The message text (Message Text - Message Text)

  • The message subject (Message Text - Message Subject)

rt

The earliest Timestamp for the report.

src

Client/Server - Server IP for exceptions; otherwise Client/Server - Client IP

shost

Client/Server - Client Host Name

smac

Client/Server - Client MAC

spt

Session - Server Port for exceptions; otherwise Session - Client port

start

The first time-stamp that applies:

  • The exception time in an exception report (Exception - Exception Timestamp)

  • The policy violation time in a policy violation report (Policy Rule Violation - Timestamp)

  • The access period start time (Access Period - Period Start)

  • The session start time (Session - Session Start)

proto

Client/Server - Network Protocol

request

First available:

  • FULL SQL - Full SQL if present

  • SQL  - Sql

For more information about CEF, search the web for "Common Event Format: Event Interoperability Standard," or visit the ArcSight Website: www.arcsight.com.